Fortigate Configuration Guide

The following instructions outline how to setup a FortiNet Fortigate network for the Marketing4WiFi Platform.  This guide covers details such as configuring RADIUS, walled garden entries, and captive portals.  This guide assumes that your Fortigate is already operational and on a live network. Please make sure any firewall rules, web content filters, and other security measures have been configured to interface with the platform.

Checklist before proceeding with the Fortigate configuration

  1. Login to the dashboard and check Operator Customizations to confirm your Platform Environment.
  2. The MAC of all APs that will be broadcasting the Guest WiFi signal need to be properly added to the hotspot as gateways or guests will receive a hotspot deactivated message.
  3. You will need Fortigate OS v5.6 or above to complete the guide.


    1. Login to your Fortigate appliance
    2. Use the navigation panel to the left to open User & Authentication and click on RADIUS Servers
    3. Click Create New and configure with the following settings
      • Name: SmartWiFi
      • Authentication Method: Specify
      • Method: PAP
      • Primary Server IP:
        US-A Radius 1 IP

        52.23.46.139

        You can confirm your platform environment under Operator Customizations.

        US-B Radius 1 IP

        3.132.31.3

        You can confirm your platform environment under Operator Customizations.

      • Secret: Available in the Edit Hotspot page in the Marketing4WiFi dashboard, called RADIUS secret
      • Secondary Server IP:
        US-A Radius 2 IP

        52.207.192.243

        You can confirm your platform environment under Operator Customizations.

        US-B Radius 2 IP

        3.18.137.68

        You can confirm your platform environment under Operator Customizations.

      • Secret: Available in the Edit Hotspot page in the Marketing4WiFi dashboard, called RADIUS secret
      • Click OK to save the RADIUS Server
    4. Using the navigation panel to the left click on User Groups under the User & Authentication section
    5. Click Create New and configure with the following settings
      • Name: SmartWiFi
      • Type: Firewall
      • Remote Groups: Click Add and choose Smart WiFi as the Remote Server
      • Click OK to add the Remote Server
      • Click OK to save the User Group.
    6. Use the navigation panel to the left to open Policy & Objects and click on Addresses
    7. Click Create New > Address Group and configure with the following settings
      1. Group Name: SmartWiFi
      2. Type: Group
      3. Members: Click the + icon to add to the group
      4. Using the Select Entries menu click +Create > Address and configure with the following settings
        • Name: SmartWiFi Online
        • Type: Subnet
        • IP Range: 10.5.50.0/255.255.255.0
        • Interface: Any
        • Click OK to save the Address
      5. Click the +Create > Address again and configure with the following settings
        • Name: insert wildcard domain here (Example- *.smartwifiplatform.com)
        • Type: FQDN
        • FQDN: insert wildcard domain here (Example- *.smartwifiplatform.com)
        • Click OK to save the Address
      6. Complete step 7.5 for each wildcard entry found in the default walled garden entries for the platform.

        If you’re a white label operator and have your own splash hostname, be sure to include it as an address following the the process outlined above in step 7.5.

      7. Using the Select Entries menu add all the entries created in steps 7.4 and 7.5 to the group
      8. Click OK to Save the Address Group
    8. Use the navigation panel to the left to open WiFi & Switch Controller and click on SSIDs
    9. Click Create New > SSID and configure with the following settings
      • Name: SmartWiFi
      • Type: WiFi SSID
      • Traffic mode: Tunnel
      • IP/Netmask: 10.5.50.1/255.255.255.0
      • DHCP Server: Enabled
      • DNS Server: Specify- 8.8.8.8
      • SSID: Guest WiFi (Or whatever name you want)
      • Broadcast SSID: Enabled
      • Security Mode: Captive Portal
      • Portal Type: Authentication
      • Authentication Portal: External
        External URL: Select one
        US-A Splash URL

        https://splash.4wifi.net/hotspotlogin.php

        You can confirm your platform environment under Operator Customizations.

        If you have your own branded splash hostname you would use https://splash.yourdomain.com/hotspotlogin.php

        US-B Splash URL

        https://splash.4wifi-e2.net/hotspotlogin.php

        You can confirm your platform environment under Operator Customizations.

        If you have your own branded splash hostname you would use https://splash.yourdomain.com/hotspotlogin.php

      • User Groups: SmartWiFi
      • Exempt Destinations/Services: SmartWiFi
      • Redirect after Captive Portal: Specific URL
        Specific URL: Select one
        US-A Redirect URL

        https://splash.4wifi.net/hotspotlogin.php?res=success

        You can confirm your platform environment under Operator Customizations.

        If you have your own branded splash hostname you would use https://splash.yourdomain.com/hotspotlogin.php?res=success

        US-B Redirect URL

        https://splash.4wifi-e2.net/hotspotlogin.php?res=success

        You can confirm your platform environment under Operator Customizations.

        If you have your own branded splash hostname you would use https://splash.yourdomain.com/hotspotlogin.php?res=success

      • Click OK to save
    10. Use the navigation panel to the left to open Policy & Objects and click on Firewall Policy
    11. Click Create New and configure with the following settings
      • Name: SmartWiFi
      • Incoming Interface: Guest WiFi or whatever you named the SSID(SmartWiFi)
      • Outgoing Interface: Select your configured WAN
      • Source: SmartWiFi
      • Destination: all
      • Schedule: always
      • Service: ALL
      • Action: Accept
      • Enable this policy: Enabled
      • Click OK to save
    12. This complete the configuration through the user interface. The following steps must be completed using a command line.
      1. Use the menu panel on the top to open a new CLI Console window
      2. To configure RADIUS Accounting enter the following commands. Fill in the “x.x.x.x” and XXXXXX in the instructions below with the RADIUS Server IPs and Secret you used in step 3 of this guide.
        config user radius
        edit "SmartWiFi"
        config accounting-server
        edit 1
        set status enable
        set server "x.x.x.x"
        set secret XXXXXX
        next 
        edit 2
        set status enable
        set server "x.x.x.x"
        set secret XXXXXX
        next
        end
        end
        
      3. To enable RADIUS COA enter the following commands
        config user radius
        edit "SmartWiFi"
        set radius-coa enable
        set acct-all-servers enable
        next 
        end
        end

Troubleshooting Tips

  1. If devices are redirected but the page fails to load please ensure all of the walled garden entries have been configured and added to the address group assigned to the Exempt Destinations/Servers of the of the Guest WiFi SSID.
  2. If devices are redirected but presented a hotspot deactivated message please ensure that the MAC of all access points broadcasting the Guest WiFi SSID have been added to the platform as Fortinet gateways.

Disclaimer on hardware configuration guides in the KB:

This equipment has been integrated and tested in our labs with the Smart WiFi Platform using the firmware versions below.

Fortigate 200F firmware v7.0.6
AP firmware version PU421E-v6.2-build0267

LIMITED HARDWARE SUPPORT: Hardware manufacturers frequently make changes to firmware, controllers and GUI’s. The information below may be out of date or images may be different and is to be used as a general reference guide. We do offer additional limited support to help with trouble-shooting and we highly recommend that you have a hardware support agreement and/or access to a hardware support engineering representative from the manufacturer.

 

 

 

Updated on August 10, 2022

Was this article helpful?

Need Support?
Can't find the answer you're looking for? Don't worry we're here to help!
CONTACT SUPPORT